HIPAA Journal – $8.9 million settlement

Highlights from the HIPAA Journal

From the April 27th Newsletter

A 3.7 million-record data breach in 2016 resulted in a settlement brought to the table by Banner Health was able to gain final approval from a Federal Judge.

  • The $8.9 million settlement was proposed in December 2019 to cover claims from victims of the breach and legal fees.
  • The health system was attacked by hackers via the payment processing system used in the food and beverage outlets in its hospitals.

The World Health Organization (WHO) has received a spike in cyber hackers trying to access its network.

  • Per the WHO, the attacks are up five times from the same time in 2019.
  • In the most recent event, the WHO had 25,000 email and password combos released online. While most were not active accounts, 457 of them were still active.

Apple and Google has developed contact tracing technology to help track people who have come into close contact with individuals confirmed as having contracted COVID-19 could be invaluable in the fight against SARS-CoV-19; however, the Electronic Frontier Foundation (EFF) has warned that in its current form, the system could be abused by cybercriminals.

Human-operated ransomware attacks on healthcare organizations and critical infrastructure have increased during the COVID-19 pandemic.

  • Many ransomware attacks are automated and start with a phishing email. Once ransomware is downloaded, it typically runs its encryption routine within an hour
  • One of the most common methods of attack is through Remote Desktop Protocol and Virtual Desktop endpoints that lack multi-factor authentication, either through the use of stolen credentials or through brute force tactics to guess weak passwords.

Recent cyber/ransomware attacks related to the Healthcare industry

  • Ambry Genetics, an Aliso Viejo, CA-based genetic testing laboratory, is notifying 232,772 individuals that some of their protected health information was exposed as a result of a recent email security breach. At almost 233,000 records, this is the second largest healthcare data breach to be reported in 2020.
  • Arizona Endocrinology Center is alerting 74,122 patients that some of their protected health information has been impermissibly disclosed to another medical group by a physician after he left the practice.
  • Parkview Medical Center in Pueblo, Colorado is recovering from a ransomware attack that started on April 21, 2020. It is not known if this was a manual or automated ransomware attack and if any sensitive data was exfiltrated by the attackers prior to the deployment of ransomware.
  • ExecuPharm, a Pennsylvania-based Pharmaceutical company, experienced a ransomware attack in March of this year. In addition to Company information being exposed, private employee information was taken as well. Per the journal, information was released to the public based on the ransom not being paid.
  • Brandywine Counselling and Community Services in Delaware in February of this year. The attack has been reported to the HHS’ Office for Civil Rights as affecting 4,262 individuals. The data stolen in the attack includes clients’ names, addresses, dates of birth, and/or limited clinical information, such as provider name(s), diagnosis, prescription(s), and/or treatment information, and a limited number of Social Security numbers and driver’s license numbers
Portrait of young female doctor at office

We understand the unique and challenging aspects of IT in the Healthcare space